Organisations overlook basic security threats

3 Feb 2010

Organisations large and small are implementing the latest security technologies but many are still ignoring basic security issues in legacy IT systems, according to Trustwave’s 2010 Global Security Report.

The report was compiled by SpiderLabs, the advanced security team at Trustwave responsible for incident response and forensics, penetration testing, application security and security research.

The most notable trend of 2009 was the continued existence of attack vectors despite the security industry’s awareness of the associated vulnerabilities for a decade or more. Organisations large and small were found to be moving forward with plans to implement new technology, while leaving basic security threats overlooked in legacy environments and IT systems.

A recent article in USA Today agrees with these findings: “The vast majority of organisations routinely fail to take simple defensive measures, such as shoring up common website weaknesses or uniformly enforcing the use of strong passwords.”

In a striking trend, the SpiderLabs team also found that third-party vendors or their software was responsible for more than 81pc of investigations of a security incident or compromise. It was these third parties that introduced many deficiencies exploited by the attacker, such as default vendor-supplied passwords and insecure remote access applications.

In addition to the analysis of breach investigations, SpiderLabs also published technical information on the top vulnerabilities encountered during the penetration tests performed. The most telling results were those industries that requested penetration tests were the least compromised sector.

For example, technology and business services sector clients made up 36.1pc of the penetration tests performed in 2009, yet only 9pc of compromise investigations. Conversely, hospitality and food and beverage clients accounted for 7.6pc of the penetration tests performed, while this sector made up a stunning 51pc of investigations conducted by SpiderLabs.

“It’s clear that organisations are managing current threats in a very reactive manner, rather than proactively reviewing their entire security posture and developing a plan that secures their data, systems and facilities,” says Robert J. McCullen, chairman and CEO of Trustwave.

“This report will provide companies throughout the world with the actionable information on detecting the leading vulnerabilities and guidance on how to mitigate those threats and secure their organization.”

“The incidents we investigated showed that the hacking techniques used to penetrate a system were trivial – that is they are very simple attack methods that have existed for many years,” says Nicholas J. Percoco, senior vice president and head of SpiderLabs.

“Yet many of these organisations never knew the vulnerabilities or the systems penetrated existed within their environment. In 2010, organisations should adjust their security plans and prioritize security risks before implementing a new strategic initiative.”

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years